In partnership with ControlThings, now offering courses in German and Spanish.


This is not your traditional SCADA/ICS/OT/IIoT security course!

How many courses send you home with a €500 kit including your own Programmable Logic Controller (PLC) and a set of hardware/RF hacking tools?!?

This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications.

Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, synchrophasors, and even IoT.

This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and ControlThings Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting.

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world.

Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems and OT environments.


  • Assessing and Exploiting Methodologies

  • Control System Basics

  • Production ICS Networks

  • ICS Ethernet and TCP/IP Control Protocols

  • Serial and Fieldbus Protocols

  • Maintenance Interfaces

  • RF Communications

  • EEPROM and Flash Chips

  • Firmware

Key indicators


Previously sold out at

blackhat logo black square

Learning Objectives

After the class, the attendees will be able to:

  • Explain the steps and methodology used in performing penetration tests on Industrial Control Systems, Operational Technologies and Industrial Internet of Things.
  • Use the free and open source tools in ControlThings Platform to discover and identify vulnerabilities in web applications.
  • Exploit several hardware, network, serial, user interface, RF, and server-side vulnerabilities.

Target audience

This course is designed for intermediate level security professionals, be they engineers, technicians, analysts, managers, or penetration testers.

Course Content

Day 1 Outline – Assessing and Exploiting Controllers

  • Understanding basic control system concepts, systems, and devices:
  • Understanding controller logic
    • Hands-on exercises with a PLC and HMI
  • Architecture Reviews of major ICS and smart grid systems
  • Introduction to ControlThings Platform
  • Introduction to the NESCOR methodology for penetration testing
  • Types of ICS user interfaces: traditional applications, web applications, terminal interfaces
  • Pentesting maintenance interfaces on ICS field and floor devices:
    • Hands-on exercise capturing and analyzing USB communications, impersonating endpoints in field tech interfaces, impersonating vendor endpoints with Python and exploiting vulnerabilities found during analysis

Day 2 Outline – Assessing and Exploiting ICS Communication Protocols

  • Performing traditional network pentests on control systems:
    • Overview of a traditional network penetration test methodology, port scanning on control systems
  • Pentesting different communication layers
  • Where security defenses should be place …… and tested
  • Serial communications:
    • RS-232, TIA-422, and TIA-485
    • Fieldbus Protocols and Protocol Families
    • Hands-on sniffing and injection of serial Modbus RTU
  • Pentesting TCP/IP based ICS protocols:
    • Protocol capture and analysis
    • ModbusTCP, ProfiNet, EnternetIP/CIP, DNP3, IEC 104, IEC 61850, ICCP
    • Reverse engineering unknown protocols
    • Hands-on ICS protocol fuzzing

Day 3 Outline – Assessing and Exploiting ICS RF Communications

  • Pentesting RF communications between master servers and field devices
  • Capturing RF Signals
  • Analyzing the captured signal
  • Data Extraction
  • RF Transmission
  • Hands-on exercises using Software Defined Radio: URH, rfcat and Great Scott Gadgets’ Yardstick

Day 4 Outline – Assessing and Exploiting ICS Embedded Electronics

  • Overview of pentesting embedded device circuits
  • Analysis of embedded electronics in ICS field and floor devices
  • Dumping data at rest on embedded circuits
  • Bus Snooping on embedded circuits
  • Hands-on exercises dumping EEPROMs and sniffing busses
  • Analyzing field and floor device firmware
    • Hands-on exercises disassembling firmware, analyzing disassembled firmware and exploiting firmware flaws

Next trainings

No Events

Book your training now

Make sure you take advantage of the Early Bird discount!

Seats in these classes are limited to ensure personalized experience and encourage maximum collaboration

Additional information


Basic penetration testing experience is desirable, but not required. It is assumed that attendees will have no knowledge of ICS, Smart Grid, SCADA, or critical infrastructure.

Each attendee must bring a laptop that meets the following requirements:

  • 64-bit processor with 64-bit operating system
  • VT or other 64-bit virtualization settings enabled in your BIOS to run 64-bit VMs
  • At least eight (8) GB of RAM, recommended sixteen (16) GB if possible
  • At least fifty (50) GB of free hard drive space
  • Windows 10.x installed on your host laptop or inside a VM
  • VMware Player 12 (or later), VMware Workstation 12 (or later), or VWware Fusion 8 (or later) installed BEFORE class begins. Other virtualization software such as Parallels, VirtualBox, or earlier versions of VMware products may work if the attendee is familiar with its functionality and takes full ownership of its configuration, however non-VMware software is not officially supported and VMware should be pre-installed as a backup just in case
  • Access to an account with administrative permissions and the ability to disable all security software on their laptop such as Antivirus and/or firewalls if needed for the class
  • If you are using Linux for your host machine, you will need ExFAT drivers installed for the USB drive

What we will provide:

  • IIoT hacking Kit (to take home and practice the skills learned in class)
  • PDF files of slides and workbooks
  • All meals and refreshments (on public trainings)


  • Reference material (slides, handouts, etc.): English
  • Classes: German or Spanish

ICS / IIoT security hacking kit

The IoT Security Hacking Kit contains all the tools and devices used in our hands-on classes and can only be obtained by attending the ASSESSING and EXPLOITING CONTROL SYSTEMS & IIoT training.

You can use it to learn-by-hacking in class and to keep your skills sharp after it.

  • All the basic tools for ICS / IIoT security

    Take home all the tools you need and learned to use in the training

  • Free with each registration

  • Exclusive for SevenShift trainees


  • Micro PLC
  • GreatFET One
  • Yard Stick One
  • Software defined radio (SDR) kit
  • ARM Based IoT board
  • and more

Note: the content of the kit varies per session based on the content and availability

Meet the trainer

Pablo Endres

Managing director / Lead Security Consultant / Trainer

Pablo Enjoys hacking, IoT, teaching, working with new technologies, startups, collaborating with Open Source projects, learning new things and being challenged.

In the last couple of years, he has been working mainly IoT security, testing dozens of devices and working with multiple platform providers to secure their solutions.

  • Professional Hacker
  • Experienced professional

    Not just a trainer
    15+ years of experience in security

  • Tested dozens of IoT devices and ecosystems
  • Well structured
  • Can change gears

    Adapts explanations to the level of the crowd

  • Can explain complex things in simple words
  • Passion for teaching

Comments from our students

“Training was really comprehensive and engaging with excellent focus on vulnerabilities and threat vectors specific to IoT domain. I will recommend it to every company or individual, who is serious about IoT Security deployment”.

“A very well structured and detailed training series with the right mix of theory and practice. Pablo Endres goes into the participants´ previous knowledge, questions and comments individually. His experience as an IT Security Expert enables him to give useful and very valuable tips”.

The session was great!

For a beginner like me, I could not ask for anything more, it covered all aspects of IoT. The session was really engaging, filled with positive and negative examples. I like to know every aspect of something, I found it very beneficial to learn about all aspects of IoT.

(…) I learnt a lot of new things that I had no knowledge about before.

“The IoT Security Bootcamp by SevenShift, was a great experience with tons of information to digest. 

Pablo clearly knows the field and was able to go through the dense and challenging material during 3 amazing days. 

I walked out with actionable knowledge, and starting using directly for our projects. 

I would highly recommend the Bootcamp for anyone doing or getting in to IoT.”

“In May 2019, I attended the IoT Security Bootcamp by SevenShift. I have nothing but praise for how the workshop was run. Especially due to the trainer Pablo Endres, who was always more than pleased to help whenever I had a question.

Even though I was really rusty on programming and all technical matters, I had no issue understanding the material, which is really easy to digest once you are on track.

At each chapter of the Bootcamp, everything was explained in detail and you can notice the experience and passion of the instructor on this topic, which inspires you.  You will end up wanting to stay longer so you can learn more about it.

The course is absolutely fun and I highly recommend it. You will learn a lot about IoT and hacking!”

“In-depth and very well structured training. Even with a good  IT, electronics and microelectronics background, there is lots to be learned. It is also interesting to see things that you know from a completely different perspective. 

The training is absolutely recommendable for beginners as well as for advanced users, basic Linux knowledge is helpful to allow you to concentrate on the relevant course content. 

Basically, only a laptop with VirtualBox is needed to participate. A business model with many USB ports and a well supported Linux distribution is the better choice.  Due to the openness, makes it much easier to set up the hardware used for the class. 

The IoT kits contained in the course are equipped with a very good selection of different components. Not only can you solve the tasks individually or with a partner during the course, but can later repeat everything again and learn further.

The slides are in English, which makes sense due to the many technical terms. The trainer Pablo Endres can hold the event not only in English but also in German and Spanish. Because of the small groups the trainer can attend to individual participants. By the way, the venue is very good, the breaks are well chosen; food and drinks are tasty :-D”